117280 – JSC: Crash beneath cti_op_div @ http://gmailblog.blogspot.com

Bug 117280 - JSC: Crash beneath cti_op_div @ http://gmailblog.blogspot.com

Summary: JSC: Crash beneath cti_op_div @ http://gmailblog.blogspot.com

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Michael Saboff

URL:
Keywords:	InRadar

Duplicates (1):	116052 (view as bug list)
Depends on:
Blocks:

Reported:	2013-06-05 21:41 PDT by Michael Saboff
Modified:	2013-06-06 15:51 PDT (History)
CC List:	1 user (show)

See Also:

Attachments
Patch (5.84 KB, patch) 2013-06-05 22:01 PDT, Michael Saboff	fpizlo: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Saboff 2013-06-05 21:41:05 PDT

We are crashing because an argument variable is been speculated to be an Int32, but there isn't a corresponding speculation check on entry to the function.  When it is call with a non-int value and we OSR exit for some other reason we crash in the baseline JIT because the tag is bogus.

Comment 1 Michael Saboff 2013-06-05 21:41:22 PDT

<rdar://problem/13548820>

Comment 2 Michael Saboff 2013-06-05 22:01:33 PDT

Created attachment 203903 [details]
Patch

This fixes the problem by merging the various attributes of a VariableAccessData with the root node of the unified set of VariableAccessData nodes.  Before we were merging with a leaf node and therefore the merge didn't propgate to the code generation phase.

This is performance neutral on SunSpider and V8.

Comment 3 Michael Saboff 2013-06-06 08:37:24 PDT

Committed r151273: <http://trac.webkit.org/changeset/151273>

Comment 4 Alexey Proskuryakov 2013-06-06 15:51:31 PDT

*** Bug 116052 has been marked as a duplicate of this bug. ***